VCDPA Rights: A Comprehensive Overview of Them

Table of Contents

Businesses of the modern-day digital era constantly have to be on their toes when it comes to new consumer data protection acts, especially for those who own businesses in Virginia or that deal with Virginians who now have to keep up with the VCDPA rights.

If you own a business and are unsure what this means for you, then stay tuned! We will help you know what you need to know to remain operational and compliant within the state of Virginia.

In this article, we will cover an overview of what the VCDPA is, explain all the rights that it gives to the consumers, and elaborate on what it means for your business and how you should handle your compliance services to meet the state standards.

Let’s dive in.

Key Takeaways

The VCDPA provides further rights to consumer data subjects that most major businesses will have to comply with.

There are a number of VCDPA rights that the consumer data subject has. Each right will require your business to have a developed compliance plan in order to meet the needs of consumer data rights.

Businesses that fail to meet the needs of consumer data requests could receive a penalty from the VCDPA ace attorney general. Business owners do have access to tips and methods on how to deliver compliance solutions in an efficient manner.

Overview of the VCDPA

The VCDPA is a significant consumer data protection law that gives consumers in the state of Virginia that allows consumers more control of their data and to be treated with protection.

It also mandates businesses to do frequent data protection assessments if sensitive data is processed to measure the potential risk factors in business operations.

The law also imposes some restrictions on the use of de-identified and modified data to no longer be directly tied to the individuals from whom the data originated. Businesses must do what is necessary to ensure that both de-identified and modified data can not be traced back to the original person.

The state privacy law went into effect on Jan 1st, 2023. It is overseen by the Virginia attorney general who enforces it.

The overall significance of the VCDPA is that it further rectifies the privacy rights of consumer data subjects for Virginia residents. Businesses that meet that criterion of the VCDPA will have to follow data protection regulations and be compliant with the imposed laws to ensure responsible handling of consumer data.

Who Does the VCDPA Provide Rights to?

The VCDPA provides consumer data rights to most Virginia residents. However, there are certain exemptions for individuals who are under the act of employment and commercial contexts.

According to the VCDPA, consumer data rights are given to those who are natural persons in the state of Virginia. It means that, simply, anyone who operates on day-to-day, non-commercial or employment tasks is given consumer data privacy rights.

Those who are employed and operating under the act for commercial and employment purposes are not given consumer protection rights because they are not defined as individual persons but rather an entity of the business.

The VCDPA applies regulations to businesses that meet certain criteria. Businesses that handle the personal data of over 100,000 consumers in a calendar year or businesses that have personal data of 25,000 consumers and make over 50 percent of their gross revenue off those consumers must follow VCDPA compliance laws.

Businesses that don’t meet these statistics or fall under the category of financial, educational institutions or non-profit are exempt from the VCDPA and will not need to provide Virginians data subject rights.

VCDPA Rights for Consumers

There are a number of consumer data protection rights that the VCDPA provides to Virginia consumers. Below are the rights covered, as well as potential steps your businesses can use to ensure compliance.

1. Right to Know, Access, and Confirm Personal Data

Under the VCDPA, general consumers who are not under the act of employment and commercial purposes have basic rights that allow them to know if there is personal data bout them on file, as well as the ability to request access and confirmation if the information is accurate.

As a business, you would want to have employees who are knowledgeable of current data privacy laws as well as utilized compliance training programs. Conducting a data protection assessment should also always be done before continuing forward with the data processing.

Make sure that your employees follow strict data security protocols, such as verifying the consumer data subject’s identity, measuring the risk factors involved with their request, and being open and transparent with them about the data that has been collected on file.

2. Right to Delete Personal Data

In addition to the consumer’s right to know, access and confirm, they also have the right to deletion if they wish to do so. Legal reasons for deletion can pertain to a change of the data subject consent, privacy concerns, or them deeming that it is no longer necessary for the business to have.

The key to addressing this compliance is transparency and communication. Your business’s data controller must be able to communicate well to the consumer of the business use of the personal data. Data controllers should also carefully listen to the consumer’s reasoning for deletion to ensure it falls under the legal criteria.

As always, ensure that your data controllers know to evaluate the potential risk factors involved through a data protection assessment, as well as standard identification verification procedures. They should also document any changes or access requests on file for record-keeping purposes.

3. Right to Correct Inaccurate Personal Data

Consumer data subjects are given the right to make modifications to data on file if they deem it to be inaccurate. Things such as names, addresses, phone numbers and gender are factors that can be corrected by the consumer.

Addressing the consumer’s change to personal data should be straightforward if they pass the verification process. Making sure that the consumer has their personal data correct in a reasonable time frame is the best way to ensure the best compliance.

4. Right to Data Portability

The VCDPA gives consumers the right to request and obtain their documented personal data in their own possession, as well as have the ability to transfer their personal data to another data controller.

Businesses that the VCDPA applies to must consent and begin the processing of the data transfer to the consumer if they pass the verification process.

Transferring the consumer data to another data controller is more involved. It will require your business to do a more thorough data protection assessment to determine if the transfer of personal information is in the safe hands of the new data controller.

Ultimately, your business must verify the identity of the new data controller to ensure that they do not impose any potential data privacy risks to both the consumer subject and your business.

5. Right to Opt-Out of Data Processing Activities

Consumer data subjects under the VCDPA have the right to opt out of personal and sensitive data-gathering activities at any time they wish to withdraw consent from the business in practice.

If a consumer requests to opt out of having either their personal or sensitive data collected, then your business is obligated to stop if it falls under the scope of the VCDPA.

All data collection must be stopped for the individual who requested to opt out. Your business may want to ask for the data subject’s consent if it is okay to hold on to data on file. Continuing to ask for permissions rather than assuming it is safe to keep or use consumer data is the best and safest way to maintain corporate compliance.

6. Right to Opt-Out of Sale of Personal and Sensitive Consumer Data

Consumers under the VCDPA also have the addition to opt out of having their personal and sensitive data sold to third-party marketing services.

All businesses that the VCDPA applies to must respect the consumer data subject’s consent to opt out of the sale of personal data, especially the sale of sensitive data.

The best way to be compliant with your consumer data subjects is to make the ability to opt out as easy as possible. It is recommended that your website make a user-friendly design so that it is targeted forward for them to do.

Streamlining the process makes data processing more convenient and puts less stress on your business’s operational resources.

Obligations to Facilitate DSARs Under the VCDPA

Your business should always have designated methods and strategies in place to follow when trying to be compliant under the VCDPA. Luckily, there are a few simple methods that businesses can use to help make compliance be achieved with efficiency.

Having a toll-free number can help by directing customer calls to the correct department where they need to have their questions answered and services provided without wasting time on having to transfer calls.

Another simple tip for businesses that want to make compliance more managed is to have a separate designated business email that handles data processing requests. Having multiple email addresses can reduce the chances of the data subject’s email getting lost and will make follow-ups easier to manage.

It is very important to know businesses are on time limits to respond and address the data subjects’ requests and concerns. Businesses have 45 days for the data subject request to be solved, but more complex requests can warrant a 45+ days extension. However, you must not have an unreasonable delay.

Can Consumers File Lawsuits Under the VCDPA for Violations?

While the VCDPA does give consumer data rights to its citizens, the citizens themselves are not capable of filing a lawsuit if they believe that there was a breach of compliance consent.

With that said, consumer data subjects can file complaints to the VCDPA attorney general, which could warrant an investigation. If the Ace attorney general finds evidence that supports the consumer data subjects’ complaints, then the attorney general could seek charges that could amount to up to $7,500 per violation.

VCDPA Rights vs CPRA Rights

If you are a business that is also concerned with the CPRA rights, then you should know that both VCDPA and CPRA have some differences in terms of which data subject rights are granted.

Right to initiate private litigation following certain types of unaddressed security breaches involving user’s non-encrypted or non-redacted sensitive information is provided under the CPRA. However, under the VCDPA, a consumer cannot sue a business for non-compliance with the VCDPA.

Additionally, the CPRA provides consumers with enhanced privacy controls by allowing them limits over how businesses handle SPI – such kinds as government identifiers, precise geolocation details, financial account credentials, especially barring its usage beyond defined essential reasons.

Even if you have a business that doesn’t fall under the regulations of the CPRA, it is still recommended that you be aware that data privacy can differ widely in certain states.


Keeping up to date on the current data laws can be overwhelming, especially if your business must be compliant with several state and national laws with their own take on data rights and regulations. This is why sometimes the best solution to running a business is to consider investing in outsourced compliance services.

Captain Compliance can help alleviate the stresses of owning a business in today’s digital world. We know that consumer data laws aren’t everyone’s cup of tea, which is why we have experts who are trained and ready to handle those services for you in advance.

If you are interested in having our experts help manage your business compliance solutions, then don’t hesitate to get in touch with one of our experts today!


Does the VCDPA apply to small businesses?

The VCDPA does account for small businesses if they meet the criteria of either having collected data from over 100,000 consumers or if they have 25,000 and made over fifty percent of their gross income from that consumer data.

Learn how to draft a small business privacy policy in this comprehensive guide.

Are there any specific data security guidelines in the VCDPA that businesses should follow?

All businesses that fall under the VCDA must perform a general data protection assessment to mitigate data security risks. Ultimately, the businesses are responsible for determining the extent of the method used for determining the risk involved in performing a specific data processing request.

Here are the best cybersecurity compliance services for your business.

Can businesses charge consumers for data requests?

In most cases, no. The VCDPA provides consumer data protection rights that allow them to have access to their personal and sensitive data for free. However, in some cases, a business can charge for data request service if the consumer is making excessive demands that could warrant it.

Learn more about DSAR costs and when it’s acceptable to charge consumers for exercising their rights.

Does the VCDPA require businesses to appoint a Data Protection Officer (DPO)?

Yes, businesses that meet VCDPA must have an appointed DPO to oversee the data processing activities. The DPO would also be responsible for implementing data privacy policies within the business to ensure that it meets the VCDPA regulations.

See here how your business can easily outsource a data protection officer.

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a free 30-day trial now.